reflective memory attacks deep dive: how they work; why they’re hard to detect
TRANSCRIPT
Reflective Memory Attacks Deep Dive:
How They Work;
Why They’re Hard to Detect
© 2013 Monterey Technology Group Inc.
Brought to you by
Speaker
Dan Teal, Senior Architect
www.lumension.com
Preview of Key Points
© 2013 Monterey Technology Group Inc.
How did we get to where we are today with
reflective memory attacks?
How does reflective memory injection work?
Why doesn’t AV or application whitelisting
detect it?
What does a process look like that has been
injected this way?
How can it be detected via security software?
How did we get to where we are today with
reflective memory attacks?
© 2013 Monterey Technology Group Inc.
Simple scripts
Buffer overflows with file drops
Reflective memory injection
How does reflective
memory injection work?
© 2013 Monterey Technology Group Inc.
Relocatable code DLLs Threads
Memory management
• Stack
• Heap
• Addresses/pointers
Function calls
How does reflective
memory injection work?
© 2013 Monterey Technology Group Inc.
Malformed content sent to
PCBuffer overflow
Shell code activates
Downloads larger malware from
Internet
Writes malware directly to heap memory
• No file access
Dynamically links references to function calls
Flags memory as executable
Spins up a thread to run the malware
How does reflective
memory injection work?
© 2013 Monterey Technology Group Inc.
More details
Write the library into the address space of the target process
Pass execution to the Reflective Loader
Determines its location in memory for parsing its own headers
Parse kernel32.dll export table to calculate addresses of
GetProcAddress and VirtualAlloc
Allocate a contiguous block of memory for loading its image
Load in its headers and sections
Process its import table, loading additional libraries as needed and
resolving imported function addresses
Process its relocation table
Call its entry point function, DLLMain
In a way, Microsoft makes
it easy
© 2013 Monterey Technology Group Inc.
• NtQueryVirtualMemory()
• VirtualAllocEx()
• NtReadVirtualMemory / NtWriteVirtualMemory
• NtCreateThread()
A process can access and manipulate the address space of another process
• When functions are used within the kernel, even DRM protected processes can be accessed
• This is why ProcessHacker has the option to install KProcessHacker
Ease of access is related to how Windows processes are created
Why doesn’t AV or
application whitelisting detect it?
© 2013 Monterey Technology Group Inc.
Nothing dropped onto the file system
Does not use LoadLibrary()
Will not show up in list of loaded modules for a process
RMI places libraries into processes that are already authorized and running
DEP, ASLR, and other technologies great but not enough
Blacklisting involves collecting a list of bad threat signatures and preventing those apps from running
Reactive: Always a step behind the latest threats
Traditional signature based anti-virus is not enough
What does a process look like
that has been injected this way?
© 2013 Monterey Technology Group Inc.
“At a process level the only indicators that the library exists is that there will be a chunk of allocated memory present, via VirtualAlloc, where the loaded library resides. This memory will be marked as readable, writable and executable. There will also be a thread of execution which will be, periodically at least, executing code from this memory chunk.”
Stephen Fewer
Harmony Security
http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
How can it be detected
via security software?
© 2013 Monterey Technology Group Inc.
Synchronously
Rock solid but prohibitively expense performance-
wise
Asynchronously
Stack walking
• Performance prohibitive
Correlate processes with legitimate code
• Catches the attack without impacting performance
How can it be detected
via security software?
© 2013 Monterey Technology Group Inc.
Synchronously
Sequence of events• Allocate memory via VirtualAllocEx
• Copy in the library
• Link it in
• Start a thread.
Windows kernel only gives a few options for registering for callbacks.
Security software used to be able to hook the kernel to monitor VirtualAllocEx, but that is no longer an option on x64 with PatchGuard.
We can register to be notified when a thread is started but not when memory is allocated
How can it be detected
via security software?
© 2013 Monterey Technology Group Inc.
Asynchronously
Stack walking
• Periodically analyze the call stack ofevery running
thread to ensure
• that the instruction pointer in every stack frame points
to legitimate
• code
• Pros: works very well if implemented correctly and can
also detect types of buffer overflows
• Cons: performance impact
How can it be detected
via security software?
© 2013 Monterey Technology Group Inc.
Asynchronously
Legitimate code correlation
• Continually track every process from the kernel and
correlate with legitimate code
• Threads, memory regions, loaded module list (can be
manipulated)
• Whitelisting provides great support for this – control
loading of kernel modules
• Pros: Low performance impact
• Cons: Limited to detecting library injection
Let’s see detection in action…
© 2013 Monterey Technology Group Inc.
Brought to you by
Speaker• Dan Teal, Senior Architect
www.lumension.com
More Information
• Free Security Scanner Tools» Vulnerability Scanner – discover all OS and
application vulnerabilities on your network
» Application Scanner – discover all the apps
being used in your network
» Device Scanner – discover all the devices
being used in your network
http://www.lumension.com/special-
offer/premium-security-tools.aspx
• Lumension® Endpoint Management
and Security Suite» Online Demo Video:
http://www.lumension.com/Resources/Demo-
Center/Vulnerability-Management.aspx
» Free Trial (virtual or download):
http://www.lumension.com/endpoint-
management-security-suite/free-trial.aspx
• Get a Quote (and more)http://www.lumension.com/endpoint-
management-security-suite/buy-now.aspx#2
17
Q&A
Global Headquarters
8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828